By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you allow an external role to access your AWS resource directly?

0

Hi,

Here's the setup:

We both manage two AWS accounts (Account1 and Account2). In the Account1, we have an application that will assume a role to access a DynamoDB table in the Account2. How do we grant permission to the (external) role directly to the DynamoDB table? We understand that role-chaining is the suggested approach, but it is not a possibility for us right now for some reason.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
Anonymous
asked 2 months ago117 views
2 Answers
1

To allow an application in AWS Account1 to access a DynamoDB table in Account2 without role-chaining, follow these steps:

  1. Create an IAM Role in Account1: This role is for your application, with a trust relationship allowing it to assume the role.

Trusted Policy (example):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account1-ID:role/Role1"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

permission policy (example):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::Account2-ID:role/Role2"
    }
  ]
}
  1. Grant Access in Account2:
    • Modify the IAM policy attached to the DynamoDB table in Account2.
    • Include a statement in the policy that allows the IAM role from Account1 access to the table. Use the role's ARN in the Principal field and specify the actions (e.g., dynamodb:GetItem, PutItem) your application needs.

Trusted policy (example):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account1-ID:role/Role1"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permission policy (example):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account2-ID:role/Role2"
            },
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "arn:aws:dynamodb:Region:Account2-ID:table/YourTableName"
        }
    ]
}
profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
1

Hello,

Below are the links to the official documentation that address your issue, please have a look -

https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-dynamo-db-cross-account.html https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-cross-account-access-to-amazon-dynamodb.html

Thanks

Abhinav Chauhan
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content